> On 14. 9. 2021, at 13:45, Michal Skrivanek <michal.skriva...@redhat.com> > wrote: > > > >> On 10. 9. 2021, at 20:06, Milan Zamazal <mzama...@redhat.com> wrote: >> >> Michal Skrivanek <michal.skriva...@redhat.com> writes: >> >>>> On 8. 9. 2021, at 20:48, Milan Zamazal <mzama...@redhat.com> wrote: >>>> >>>> Hi, >>>> >>>> we had to disable VNC OST test some time ago because it started failing. >>>> I looked at why it fails and the reason provided by >>>> ovirt-websocket-proxy is >>>> >>>> do_vencrypt_handshake:187 Server supports the following subtypes: 263 >>> >>> 263 is VNC_AUTH_VENCRYPT_X509SASL >>> because with fips we change libvirt configuration to SASL? >> >> libvirt configuration is the same whether we boot with fips=0 or fips=1 >> (and disable/enable FIPS for the cluster accordingly). And the proxy >> works with fips=0 even when auth_unix_rw="sasl" is set in the libvirt >> configuration. > > it could be qemu’s decision to enforce only this one when FIPS enabled > >> >> So should we add VENCRYPT_X509SASL support to the proxy? > > yes, I do not see any other way when this is the only supported connection > type
and I think you have bigger issues, on el8stream we now pick up websockify 0.9 with [1], which changed the API we override, so the connection doesn’t work at all now all you get is ovirt-websocket-proxy[68086] INFO msg:630 handler exception: get_target() missing 1 required positional argument: 'path' so first you need to update the proxy to handle 0.9 but also 0.8 that we use on RHEL Thanks, michal [1] https://github.com/novnc/websockify/commit/af85184e28d8e4333472940bfe1d2eb6436b6733 > >> >>>> Server does not support X509VNC. OvirtProxy only supports X509VNC >>>> >>>> This happens only when FIPS is enabled and is reproducible outside OST. >>>> The only thing that seems to have influence on whether it works or not >>>> is the value of `fips' kernel command line parameter -- when it's >>>> changed to fips=0 then noVNC console works without any other changes. >>>> >>>> So it looks like some change in QEMU. I'm not an expert in this area >>>> and don't know what those protocols are about, why the proxy supports >>>> only X509VNC and why the mismatch in expectations on both the ends >>>> happens when FIPS is enabled. Can anybody help clarify it and provide >>>> an idea how to resolve the problem? >>>> >>>> Thanks, >>>> Milan >>>> _______________________________________________ >>>> Devel mailing list -- devel@ovirt.org >>>> To unsubscribe send an email to devel-le...@ovirt.org >>>> Privacy Statement: https://www.ovirt.org/privacy-policy.html >>>> oVirt Code of Conduct: >>>> https://www.ovirt.org/community/about/community-guidelines/ >>>> List Archives: >>>> https://lists.ovirt.org/archives/list/devel@ovirt.org/message/S6MCLJV2QMQ3YLJDUUBT3AZVEADXJ6GK/ >> > _______________________________________________ Devel mailing list -- devel@ovirt.org To unsubscribe send an email to devel-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/TIATUMJCBHOA3BNR3UHUZZ2EPQP3242U/